Malicious PDF — malware analysis report

Static analysis result for SHA-256 72135704d7d104d8…

MALICIOUS

PDF

179.8 KB Created: 2021-06-09 06:08:13 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7) First seen: 2021-11-24
MD5: e506a91cbbe36675e2ca45c30b5490b0 SHA-1: 055c1ba4e9fbc0ff4f18026b8748c212f8e15ce3 SHA-256: 72135704d7d104d80c18e1f5b81e55c9577132c460917b05a6fd4c274b2f593b
122 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1203 Exploitation for Client Execution T1059.007 JavaScript

The PDF contains heuristics indicating it is a link farm on disposable hosting and uses social engineering lures such as urgency and a visual download button. It also explicitly tells the user to install a browser extension or update. While no scripts were extracted, the presence of embedded URLs and the nature of the heuristics suggest the document is designed to trick the user into downloading and executing a malicious payload, likely through a fake browser update or extension installer.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9420

Heuristics 7

  • Browser extension / update installation lure high SE_BROWSER_INSTALL_LURE
    Document tells the user to install a browser extension, plugin, viewer, or browser update to view content — a common social-engineering path for credential theft and malware installation
  • Small PDF is a non-clustered link farm on disposable hosting medium PDF_SEO_DISPOSABLE_LINK_FARM
    Small PDF contains many clickable external PDF links spread thin across many distinct hosts (no single dominant host), corroborated by a utm_term SEO-redirector link and/or links parked on free/disposable content hosts. This is the 'free document/template' SEO phishing PDF family, which ranks for search queries and routes users into payload/redirect chains, rather than a normal document citation pattern. The PDF itself carries no exploit — the risk is the linked destinations.
  • Urgency / deadline lure low SE_URGENCY_LURE
    Document contains urgency or deadline language ('account will be terminated', 'action required within 24 hours', etc.) — useful context, but low-signal without other findings
  • Visual download / call-to-action button lure low SE_DOWNLOAD_BUTTON
    Document contains a call-to-action phrase ('Click here to download', 'Download Now', etc.) — low-signal unless other findings point to a malicious workflow
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://oniceh.ru/pbw?utm_term=gx+uc+tool+pro PDF link annotation
    • https://kujepilam.weebly.com/uploads/1/3/5/3/135343620/tubogijinofeli_vosun_zowogiw_foxoruzamis.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4421209/normal_5fd77cea780c7.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4412170/normal_5fed82679d03f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4373527/normal_605d94c344cce.pdfIn PDF document text
    • https://nasuvanebi.weebly.com/uploads/1/3/5/3/135393195/pariz.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4411501/normal_6061f57d22979.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4489052/normal_60397466f0f8a.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4403131/normal_60402f62cdf2f.pdfIn PDF document text
    • https://cdn-cms.f-static.net/uploads/4388052/normal_6033e951969e6.pdfIn PDF document text
    • https://rejudizik.weebly.com/uploads/1/3/4/7/134701546/f8200ea0621a70e.pdfIn PDF document text
    • https://guxikotazo.weebly.com/uploads/1/3/4/7/134704652/fewigoguxo_vamare_ladomogo.pdfIn PDF document text
    • https://sazigusejif.weebly.com/uploads/1/3/4/7/134771803/4564977.pdfIn PDF document text
    • https://xawoveramexu.weebly.com/uploads/1/3/4/0/134095940/6987783.pdfIn PDF document text
    • https://gilaxaled.weebly.com/uploads/1/3/1/4/131438091/6c61efcfc.pdfIn PDF document text
    • https://static.s123-cdn-static.com/uploads/4473902/normal_5ffbe50855374.pdfIn PDF document text
    • http://www.ascendercorp.com/In PDF document text
    • http://www.ascendercorp.com/typedesigners.htmlIn PDF document text
    • http://www.opentle.orgIn PDF document text
    • http://fedorahosted.org/lohitIn PDF document text
    • https://uploads.strikinglycdn.com/files/356caf97-2d02-4688-bfb3-34e7d7f565ff/5705694525.pdfIn PDF document text
    • http://gezebal.pbworks.com/f/45159473816.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/baa1fdc1-24ea-4492-b3a5-3e3f0c9c2464/brene_brown_netflix_special_trailer.pdfIn PDF document text
    • http://poguvovuk.pbworks.com/w/file/fetch/144676467/filme_online_subtitrate_romana_vox.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d78a1a41-383d-48fc-9454-0cf39ee2742a/jivitotoxus.pdfIn PDF document text
    • https://uploads.strikinglycdn.com/files/d6743e9f-58a4-46db-8d81-45aa05146931/34409384132.pdfIn PDF document text
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#In PDF document text
    • http://purl.org/dc/elements/1.1/In PDF document text
    • http://ns.adobe.com/pdf/1.3/In PDF document text
    • http://ns.adobe.com/xap/1.0/In PDF document text
    • http://ns.adobe.com/xap/1.0/mm/In PDF document text
    • http://ns.adobe.com/xap/1.0/rights/In PDF document text
    • http://dejavu.sourceforge.netIn PDF document text
    • http://dejavu.sourceforge.net/wiki/index.php/LicenseIn PDF document text
    • http://scripts.sil.org/OFLIn PDF document text
    • http://www.gnu.org/licenses/gpl.htmlIn PDF document text

Extracted artifacts 7

Files carved from inside the sample during analysis.

FilenameKindSourceSize
stream_009_off00028602.bin decompressed-pdf-stream PDF FlateDecoded stream at offset 0x28602 25384 bytes
SHA-256: 97daa8492b1498993346d05ebdf5d167746f12000a3482b36131d8dd4b325981
font_00_sfnt_off0001fc26.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x1FC26 5684 bytes
SHA-256: a89411c3b6c91e40899e5dbdf4bca151a5b456b05fddfa2ccd45d8f662d29df0
font_01_sfnt_off00021002.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21002 4636 bytes
SHA-256: d30e3fbdd5abffaea07dd21b0da1c65b243ed1ce7b25967f51e831bfbf10a539
font_02_sfnt_off00021fd9.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x21FD9 6092 bytes
SHA-256: 7e60ec9190dfd3a8ac6139726088165d189e8c4f0c2fea0c453c52bc8de94a8d
font_03_sfnt_off00022f8b.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x22F8B 8180 bytes
SHA-256: 45d1c5115e9690401db46604b14d69bc91011ab3ff7b1f97699b9b4ae60c7d59
font_04_sfnt_off00024acb.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x24ACB 19712 bytes
SHA-256: 67e2901120ce1081f6fb657bfeee563b6a1ad620915c21f6ea82f441d577229f
font_06_sfnt_off0002b283.bin pdf-font-stream PDF embedded font (sfnt) at offset 0x2B283 3248 bytes
SHA-256: e9dd7124a399f0df0a4c85d08182d31bb088fe5cded375f3a76f777e375800dc